Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pdnsutil accepts a as nsec3 salt #12650

Closed
aerique opened this issue Mar 15, 2023 · 1 comment
Closed

pdnsutil accepts a as nsec3 salt #12650

aerique opened this issue Mar 15, 2023 · 1 comment
Assignees
@miodvallat
Labels
auth defect
Milestone
auth-5

Comments

@aerique
Copy link
Member

aerique commented Mar 15, 2023

  • Program: Authoritative
  • Issue type: Bug report

Short description

According to @Habbie the salt for NSEC3PARAM should be either - or an even number of hex digits, but it also accepts a as salt and turns it into a0.

Environment

  • Operating system: Linux / Docker
  • Software version: 4.6.4 but @Habbie confirmed it also happens on master
  • Software source: powerdns/pdns-auth-46 (Docker)

Steps to reproduce

pdns@6deb0af3f606:/$ pdnsutil set-nsec3 normal.example.com "1 0 0 -"
NSEC3 set, Done, please secure and rectify your zone (or reload it if you are using the bindbackend)

pdns@6deb0af3f606:/$ pdnsutil show-zone normal.example.com
This is a Native zone
Zone is not actively secured
Metadata items: 
	NSEC3PARAM	1 0 0 -
	SOA-EDIT-API	DEFAULT
No keys for zone 'normal.example.com'.

pdns@6deb0af3f606:/$ pdnsutil set-nsec3 normal.example.com "1 0 0 ab"
NSEC3 set, Done, please secure and rectify your zone (or reload it if you are using the bindbackend)

pdns@6deb0af3f606:/$ pdnsutil show-zone normal.example.com
This is a Native zone
Zone is not actively secured
Metadata items: 
	NSEC3PARAM	1 0 0 ab
	SOA-EDIT-API	DEFAULT
No keys for zone 'normal.example.com'.

pdns@6deb0af3f606:/$ pdnsutil set-nsec3 normal.example.com "1 0 0 a"
NSEC3 set, Done, please secure and rectify your zone (or reload it if you are using the bindbackend)

pdns@6deb0af3f606:/$ pdnsutil show-zone normal.example.com
This is a Native zone
Zone is not actively secured
Metadata items: 
	NSEC3PARAM	1 0 0 a0
	SOA-EDIT-API	DEFAULT
No keys for zone 'normal.example.com'.

Expected behaviour

pdnsutil set-nsec3 normal.example.com "1 0 0 a" should give an error that an even number of hex digits is expected

Actual behaviour

a got accepted as salt and converted to a0

Other information

I talked and confirmed this issue with @Habbie on corporate private messages.
@aerique aerique added the auth label Mar 15, 2023
@Habbie Habbie added this to the auth-4.8.0 milestone Mar 15, 2023
@Habbie Habbie modified the milestones: auth-4.8.0, auth-4.9.0 Apr 14, 2023
@Habbie Habbie modified the milestones: auth-4.9.0, auth-5 Jan 23, 2024
@miodvallat miodvallat self-assigned this Dec 2, 2024
@miodvallat
Copy link
Contributor

Tentative fix in #14913.

@Habbie Habbie mentioned this issue Dec 2, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miodvallat miodvallat

Labels
auth defect
Projects
None yet
Milestone
auth-5
Development

No branches or pull requests
4 participants
@aerique @Habbie @rgacogne @miodvallat